- "blog-posts" tags:
- "freebsd"
- "freebsd-jails"
- "jails"
- "jails-networking"
note: This guide would roughly give you idea setting up a proper jail with networking enabled.
update: You can install jail packages from the host without having to download and install pkg for your jails.
This article is written for people who would like to create working jails in FreeBSD system. This article was written for 11.4-RELEASE.
PREREQUISITES
Make sure your FreeBSD system is up to date. Make sure the binary package management is up to date as well.
ENABLE PF FIREWALL
Example configuration will be given, user is required to do their own homework on configuring the firewall to their liking. I can help to certain extent only. Copy the firewall configuration and save it in /etc/pf.conf.
extif="vtnet0"
public_ip=""
www_jail_ip="10.0.0.1"
mysql_jail_ip="10.0.0.2"
jail_net="10.0.0.0/24"
www_port="{80,443,3306}"
tcp_port="{21,80,81,10000,20000,443,53,67,68,22}"
table <nonroutable> const { 127/8, 172.16/12, 169.254/16, 192.0.2/24 0/8, 240/4 }
set skip on lo
set debug urgent
set block-policy drop
set loginterface $extif
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none
set optimization aggressive
scrub log on $extif all random-id min-ttl 15 set-tos 0x1c fragment reassemble
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
#scrub log on $extif all random-id min-ttl 15 set-tos 0x1c fragment reassemble
nat pass log (all, to pflog0) on $extif from $jail_net to any -> $public_ip
rdr pass log (all, to pflog0) on $extif proto {tcp,udp} from any to $public_ip port $www_port -> $www_jail_ip
rdr pass log (all, to pflog0) on $extif proto {tcp,udp} from any to $public_ip port $www_port -> $mysql_jail_ip
rdr pass log (all, to pflog0) on $extif proto {tcp,udp} from any to $public_ip port 53 -> $www_jail_ip
rdr pass log (all, to pflog0) on $extif proto {tcp,udp} from any to $public_ip port 53 -> $mysql_jail_ip
#rdr pass log (all, to pflog0) on $extif proto {tcp,udp} from any to $public_ip port 21 -> $jail_net
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"
block log (all, to pflog0)
block log (all, to pflog0) on $extif from <nonroutable> to any
pass out log (all, to pflog0) quick on $extif proto {tcp,udp} to any keep state
pass in log (all, to pflog0) quick on $extif proto {tcp,udp} to any port $tcp_port keep state
Once you have saved the file, add following lines to /etc/rc.conf for PF to start itself and pflog0.
pf_enable="yes"
pf_flags=""
pf_rules="/etc/pf.conf"
pflog_enable="yes"
pflog_logfile="/var/log/pflog0"
pflog_flags=""
gateway_enable="yes"
Now start PF firewall by issuing following commands:
#service pf start– This starts PF firewall#service pflog start– This starts PFLOG facility for debugging purposes
INSTALL JAIL THE FREEBSD WAY
In this section, we will issue one command to install, setup configuration file and modify existing file.
note: Make sure you have necessary directories set up before creating jails, the path will be needed for configuration later.
The command that will do the magic of creating a jail will be following:
#bsdinstall jail /path/to/jail
Follow the onscreen instructions, it will fetch necessary files and place them in the directory path you specified earlier.
JAIL NETWORKING
If you have read up to now, and you know how IPv4 network works, you will be wondering if NAT is set up for the jails. The answer is yes, in PF Section.
You will need to assign Class B network address for your jails. Depending on how many times you issued the command above, you will need to put following entry in /etc/rc.conf. The interface will be your FreeBSD system interface and alias number can increase for number of jails you have
ifconfig_<INTERFACENAME>_alias<NUM>="inet 10.0.0.1 netmask 255.255.255.0"
/ETC/JAIL.CONF CONFIGURATION
Here will be your jails configuration. From IP address to hostname and rc scripts for shutdown and restart. I will be providing my own /etc/jail.conf. You can read up on jail configuration in FreeBSD documentation and manual.
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
allow.raw_sockets;
mysql-jail {
ip4.addr = 10.0.0.2;
path = "/usr/jails/mysql-jail";
}
www-jail {
ip4.addr = 10.0.0.1;
path = "/usr/jails/www-jail"; # Path to the jail
}
ENABLING JAIL
To enable jail, its simple, issue following command to enable jail in /etc/rc.conf.
#sysrc jail_enable=YES
STARTING THE JAILS
To start the jails you can start all of them in one go, by issuing following command:
#service jail start
Or start them individually by issuing following command:
–#service jail start <JAIL_NAME>
ACCESSING THE JAILS
To access the jails, you can issue following command:
–#jexec <JAILNAME>
UPDATING THE JAILS
To update the jails, simply issue below command to update the jails to host's version:
-
freebsd-update -b /path/to/jail fetch install
INSTALLING PACKAGES INSIDE JAILS
You can choose to install software inside the jail from ports tree or using the pkg command. However, it is recommended managing jail packages from the host rather then inside the jail. While host-based package management uses the host's packaging tools, it stores jail's package database inside the jail and uses jail's pkg.conf, certificates and so on. This lets jail use different repositories.
To install a package, for example sudo inside the jail, run the following command:
#pkg -j <JAIL_ID> install sudo
CONCLUSION
Updated to reflect knowledge obtained while reading a ebook on FreeBSD jails from reputable ebook site.
REFERENCES
https://www.freebsd.org/doc/handbook/jails-build.html
https://www.cyberciti.biz/tips/freebsd-how-to-setup-2-ip-address-on-one-nic.html
https://www.freebsd.org/doc/handbook/jails-build.html
https://www.freebsd.org/cgi/man.cgi?query=jail&sektion=8
https://www.freebsd.org/cgi/man.cgi?query=jail.conf&sektion=5&apropos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports